rixty
/
SillyTavern
mirror of https://github.com/SillyTavern/SillyTavern.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add opt-in CORS bypass endpoint

This commit is contained in:
Cohee 2023-11-25 21:56:57 +02:00
parent 0410540066
commit b24d4f2340
2 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
default/config.conf
View File

@ -11,6 +11,7 @@ const allowKeysExposure = false; // If true, private API keys could be fetched t
const skipContentCheck = false; // If true, no new default content will be delivered to you. const skipContentCheck = false; // If true, no new default content will be delivered to you.
const thumbnailsQuality = 95; // Quality of thumbnails. 0-100 const thumbnailsQuality = 95; // Quality of thumbnails. 0-100
const disableChatBackup = false; // Disables the backup of chat logs to the /backups folder const disableChatBackup = false; // Disables the backup of chat logs to the /backups folder
const enableCorsProxy = false; // Enables the CORS proxy for the frontend
// If true, Allows insecure settings for listen, whitelist, and authentication. // If true, Allows insecure settings for listen, whitelist, and authentication.
// Change this setting only on "trusted networks". Do not change this value unless you are aware of the issues that can arise from changing this setting and configuring a insecure setting. // Change this setting only on "trusted networks". Do not change this value unless you are aware of the issues that can arise from changing this setting and configuring a insecure setting.

45
server.js
View File

@ -76,8 +76,11 @@ const cliArguments = yargs(hideBin(process.argv))
type: 'boolean', type: 'boolean',
default: null, default: null,
describe: 'Automatically launch SillyTavern in the browser.' describe: 'Automatically launch SillyTavern in the browser.'
}) }).option('corsProxy', {
.option('disableCsrf', { type: 'boolean',
default: false,
describe: 'Enables CORS proxy',
}).option('disableCsrf', {
type: 'boolean', type: 'boolean',
default: false, default: false,
describe: 'Disables CSRF protection' describe: 'Disables CSRF protection'
@ -319,6 +322,44 @@ app.use(function (req, res, next) {
next(); next();
}); });
if (config.enableCorsProxy === true || cliArguments.corsProxy === true) {
console.log('Enabling CORS proxy');
app.use('/proxy/:url', async (req, res) => {
const url = req.params.url; // get the url from the request path
// Disallow circular requests
const serverUrl = req.protocol + '://' + req.get('host');
if (url.startsWith(serverUrl)) {
return res.status(400).send('Circular requests are not allowed');
}
try {
const headers = JSON.parse(JSON.stringify(req.headers));
delete headers['x-csrf-token'];
delete headers['host'];
delete headers['referer'];
delete headers['origin'];
delete headers['cookie'];
delete headers['sec-fetch-mode'];
delete headers['sec-fetch-site'];
delete headers['sec-fetch-dest'];
const bodyMethods = ['POST', 'PUT', 'PATCH'];
const response = await fetch(url, {
method: req.method,
headers: headers,
body: bodyMethods.includes(req.method) ? JSON.stringify(req.body) : undefined,
});
response.body.pipe(res); // pipe the response to the proxy response
} catch (error) {
res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error);
}
});
}
app.use(express.static(process.cwd() + "/public", {})); app.use(express.static(process.cwd() + "/public", {}));